[PATCH] gnu: services: Install policies for polkit service.

[PATCH] gnu: services: Install policies for polkit service.

[Andy Wingo]

[-- Attachment #1: Type: text/plain, Size: 1616 bytes --]

The polkit service wasn't installing its own .policy files.  This adds
the configured polkit package to the list of services to scan for
.policy files.

Incidentally there are a few more:

$ for i in `find /gnu/store -name '*.policy'`; do basename $i; done | sort -u
org.freedesktop.color.policy
org.freedesktop.login1.policy
org.freedesktop.policykit.examples.pkexec.policy
org.freedesktop.policykit.policy
org.freedesktop.udisks2.policy
org.gnome.settings-daemon.plugins.power.policy
org.gnome.settings-daemon.plugins.wacom.policy
org.xfce.session.policy
org.xfce.thunar.policy
org.x.xf86-video-intel.backlight-helper.policy

$ ls /etc/polkit-1/actions/
org.freedesktop.color.policy   org.freedesktop.policykit.examples.pkexec.policy  org.freedesktop.udisks2.policy
org.freedesktop.login1.policy  org.freedesktop.policykit.policy

Should we add gnome-settings-daemon as a system service, just to get its
policies into polkit?  Incidentally I would *really* like the end result
of this -- right now I can't change the backlight using the keys on my
laptop.  The deal is that changing the backlight requires root privs,
and org.gnome.settings-daemon.plugins.power.policy can give root privs
to a helper in gnome-settings-daemon for this purpose.  That's how this
works in GNOME.  It seems the xf86-video-intel backlight helper can do
the same, and I don't think it's intel-specific
(https://cgit.freedesktop.org/xorg/driver/xf86-video-intel/tree/tools/backlight_helper.c)
but it isn't wired up to anything, as far as I can tell.

Concretely: what to do about gnome-settings-daemon, xfce4-session, and
thunar?

Andy


[-- Attachment #2: 0001-gnu-services-Install-policies-for-polkit-service.patch --]
[-- Type: text/plain, Size: 944 bytes --]

From 01d5827d833452e91d5cffa4604aea6a44a78092 Mon Sep 17 00:00:00 2001
From: Andy Wingo <wingo@igalia.com>
Date: Sun, 21 Feb 2016 22:06:12 +0100
Subject: [PATCH] gnu: services: Install policies for polkit service.

* gnu/services/desktop.scm (polkit-etc-files): Add the polkit package
  itself to the list of packages to scan for .policy files.  This add
  support for pkexec.
---
 gnu/services/desktop.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index e4f0736..02bcf1b 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -378,7 +378,7 @@ site} for more information."
 (define polkit-etc-files
   (match-lambda
     (($ <polkit-configuration> polkit packages)
-     `(("polkit-1" ,(polkit-directory packages))))))
+     `(("polkit-1" ,(polkit-directory (cons polkit packages)))))))
 
 (define polkit-setuid-programs
   (match-lambda
-- 
2.6.3

Re: [PATCH] gnu: services: Install policies for polkit service.

[Ludovic Courtès]

Andy Wingo <wingo@igalia.com> skribis:

> The polkit service wasn't installing its own .policy files.  This adds
> the configured polkit package to the list of services to scan for
> .policy files.

Ouch, indeed.

> Incidentally there are a few more:
>
> $ for i in `find /gnu/store -name '*.policy'`; do basename $i; done | sort -u
> org.freedesktop.color.policy
> org.freedesktop.login1.policy
> org.freedesktop.policykit.examples.pkexec.policy
> org.freedesktop.policykit.policy
> org.freedesktop.udisks2.policy
> org.gnome.settings-daemon.plugins.power.policy
> org.gnome.settings-daemon.plugins.wacom.policy
> org.xfce.session.policy
> org.xfce.thunar.policy
> org.x.xf86-video-intel.backlight-helper.policy
>
> $ ls /etc/polkit-1/actions/
> org.freedesktop.color.policy   org.freedesktop.policykit.examples.pkexec.policy  org.freedesktop.udisks2.policy
> org.freedesktop.login1.policy  org.freedesktop.policykit.policy
>
> Should we add gnome-settings-daemon as a system service, just to get its
> policies into polkit?

Probably.  Same for Xfce I guess?

While at it these GNOME and Xfce services should probably do everything
needed to get a full-blown GNOME/Xfce environment.

> Incidentally I would *really* like the end result of this -- right now
> I can't change the backlight using the keys on my laptop.  The deal is
> that changing the backlight requires root privs, and
> org.gnome.settings-daemon.plugins.power.policy can give root privs to
> a helper in gnome-settings-daemon for this purpose.  That's how this
> works in GNOME.  It seems the xf86-video-intel backlight helper can do
> the same, and I don't think it's intel-specific
> (https://cgit.freedesktop.org/xorg/driver/xf86-video-intel/tree/tools/backlight_helper.c)
> but it isn't wired up to anything, as far as I can tell.

OK, interesting.  Same thing with the power-off button in Xfce/GNOME, I
guess?

> Concretely: what to do about gnome-settings-daemon, xfce4-session, and
> thunar?

What about adding a ‘gnome-session-service’ and an
‘xfce4-session-service’, each of which would extend polkit (the latter
would also pass the Thunar policies)?

Eventually, we could change the SLiM service to be extended by these two
things.

> From 01d5827d833452e91d5cffa4604aea6a44a78092 Mon Sep 17 00:00:00 2001
> From: Andy Wingo <wingo@igalia.com>
> Date: Sun, 21 Feb 2016 22:06:12 +0100
> Subject: [PATCH] gnu: services: Install policies for polkit service.
>
> * gnu/services/desktop.scm (polkit-etc-files): Add the polkit package
>   itself to the list of packages to scan for .policy files.  This add
>   support for pkexec.

OK!

Thanks,
Ludo’.

Re: [PATCH] gnu: services: Install policies for polkit service.

[Andy Wingo]

On Mon 22 Feb 2016 15:15, ludo@gnu.org (Ludovic Courtès) writes:

> Andy Wingo <wingo@igalia.com> skribis:
>
>> Concretely: what to do about gnome-settings-daemon, xfce4-session, and
>> thunar?
>
> What about adding a ‘gnome-session-service’ and an
> ‘xfce4-session-service’, each of which would extend polkit (the latter
> would also pass the Thunar policies)?
>
> Eventually, we could change the SLiM service to be extended by these two
> things.

Makes sense to me.  We are effectively granting permission to these
desktop environment to do a limited set of things as root, so they do
need to be services.

Incidentally, when with this patch I tried to run "pkexec ls", I was
able to go farther in the process -- the pkexec program embeds an
authentication agent, if the desktop environment doesn't provide one,
which can read a password from the console.  So you're asked for the
root password to be able to run "ls", but then it fails with a message
that polkit knew "no session for cookie".  I guess this means that there
still is something not quite working between logind and polkit.  Or, it
could be related to X -- at startup X warns about not being able to
integrate with logind for some reason, so perhaps that's it.

Relatedly, for the power button and lid switch under GNOME: I assume
that GNOME inhibits logind's default power button handler in favor of
its own.  There's an interface for that.  But then somehow the
permissions don't work out right, probably due to the same reason, that
polkit can't make the link between the user and their session.  Well,
we'll figure it out I guess :)

Andy